CVE-2025-8920
BaseFortify
Publication date: 2025-08-13
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portabilis | i-diario | 1.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8920 is a stored Cross-Site Scripting (XSS) vulnerability in Portabilis i-Diario version 1.6, specifically in the 'Planos de ensino' input field on the /dicionario-de-termos-bncc endpoint. The application does not properly validate or sanitize user input in this field, allowing an attacker to inject malicious JavaScript code. This code is stored and executed when other users visit certain pages, enabling attacks such as session hijacking, malware delivery, credential theft, and website defacement. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to theft of session cookies, allowing attackers to hijack user sessions. It can also enable delivery of malware, browser hijacking, credential theft, exposure of sensitive user information, website defacement, misdirection of users, and damage to the business's reputation through misinformation or altered content. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'Planos de ensino' input field on the /dicionario-de-termos-bncc endpoint for stored cross-site scripting (XSS). A common detection method is to inject a harmless XSS payload such as "><img src=x onerror=alert('XSS-PoC')> into the 'Planos de ensino' field and then observe if the script executes when accessing the affected pages 'Planos de ensino por disciplina' or 'Planos de ensino por áreas do conhecimento'. For command-line testing, tools like curl or Burp Suite can be used to send POST or GET requests with the payload to the vulnerable endpoint. Example curl command: curl -X POST -d "Planos de ensino=\"><img src=x onerror=alert('XSS-PoC')>" https://target-domain/dicionario-de-termos-bncc. Monitoring HTTP responses and browser behavior for alert pop-ups or script execution indicates vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding use of the vulnerable Portabilis i-Diario 1.6 product or replacing it with an alternative, as no vendor patch or fix is available. Restrict access to the affected component to trusted users only, and implement web application firewall (WAF) rules to detect and block malicious input targeting the 'Planos de ensino' parameter. Additionally, educate users to avoid interacting with suspicious content and monitor for signs of exploitation. Since the vendor did not respond and no official fix exists, these defensive measures are critical to reduce risk. [2]